Compromised passwords represent some of the weakest links in online security. Financially motivated hackers steal credentials using a myriad of techniques ranging from brute force attacks to scanning cloud resources for exposed and forgotten credentials left on publicly accessible servers.
Over 80 percent of hacking-related data breaches involve brute force or the use of lost, stolen, or compromised passwords, according to the 2023 Verizon Data Breach Investigations Report. Moreover, research from Carnegie Mellon University’s Security and Privacy Institute (CyLab) found that only one-third of users change their passwords following a data breach announcement.
Even with multi-factor authentication and passwordless technologies, compromised passwords remain a prime target for malicious actors. Attackers with stolen credentials can move laterally across networks and services to exfiltrate sensitive data, steal cryptocurrency, and even access physical facilities. As organizations move more and more IT resources to the cloud, Gartner estimates that through 2025, 99% of cloud security failures will be due to misconfigurations that expose passwords, representing a major attack vector for bad actors.
To help organizations mitigate data breaches, RangeForce has designed hands-on security training modules that cover the top tactics that adversaries use to exploit passwords and enterprise credentials.
Credential stuffing uses large sets of stolen usernames and passwords to compromise user accounts with automated login tools. According to Microsoft, bad actors use credential stuffing to test tens of millions of credential pairs daily. Scripting tools such as Selenium, cURL, and PhantomJS can be employed for credential stuffing attacks, along with purpose-built tools like Sentry MBA, SNIPR, and Openbullet.
Unlike a credential stuffing attack, password spraying involves an attacker attempting to access a large number of accounts by rotating through a list of commonly used passwords such as p@ssw0rd and qwerty123 for each username. It is estimated that 16 percent of password attacks originate from password spraying attacks.
Phishing is a social engineering attack that uses deception techniques to trick recipients into clicking on a malicious URL, typically to steal information or credentials. Phishing scams are extremely popular, and they are on the rise with more stealthy techniques that are harder to detect.
Keylogging attacks employ malware to log user keystrokes, including their passwords, and then transmit that information back to the attacker. The technique has proven to be effective for stealing credentials for online bank accounts, email accounts, and even seemingly secure websites.
Brute force attacks attempt account logins with as many password combinations as possible using automated tools. This includes using “dumped” or downloaded username and password combinations. Brute forcing passwords can be complex, time-consuming, and expensive from a compute standpoint and are often used by criminals as well as governments. Tools such as “Aircrack-ng" or “John The Ripper” are used for brute force attacks and can easily be found online for free.
A dictionary attack, which is a form of brute force attack, tries to use every word in the dictionary and combinations thereof as a password to gain access to a system. Now there are automated tools that can quickly test an entire dictionary against a login in seconds to try and defeat authentication protocols.
Rainbow table attacks are commonly used for finding passwords or credit card numbers. Rainbow tables provide a list of hashes of common passphrases that help reverse cryptographic hash functions and use less processing time than a brute force attack. They allow hackers to use the hash, rather than plain text passwords, to more quickly find a match.
Many enterprise users unwittingly create passwords with words that are associated with the company itself or its products. Using this knowledge, hackers employ a technique called spidering that works much like a traditional search engine to categorize and collect relevant keywords, passwords, or password-worthy words with automated bot software. Web Application Firewalls (WAF), IP fingerprinting, user behavior analysis, and machine learning can help to identify and mitigate these web scraping spidering attacks.
Developers may not always use best practices when managing system secrets and access credentials on code hosting and development sites. Credentials or tokens may mistakenly be saved in development repositories and can be exploited to access additional resources. Secret scanning attacks use automated tools to find and exploit mismanaged system secrets. In response, GitHub regularly scans repositories for known types of secrets to prevent fraudulent use of secrets accidentally left online.
Amazon S3 buckets are a common attack vector and must be properly managed and configured. A typical data exfiltration attack involving an S3 bucket may start with a malicious attacker scanning a popular internal tool for user credentials that employees leave on the site. Many free S3 scanning tools exist today that enable hackers to search for exposed buckets to gain access to thousands of credentials at a time. Mitigating S3 Bucket scanning attacks include proper configuration and bucket policy management.
Security policies and training around passwords are mission-critical for organizations. Organizations must establish strict password policies and IT controls, which enforce strong passwords and enable two-factor or multi-factor authentication when possible. Also, organizations should work to ensure that security teams have a deep understanding of password exploitation techniques and are continuously practicing the security skills needed to thwart these attacks.
RangeForce offers in-depth cybersecurity training modules that cover all 10 of these potential attack vectors for your cyber team to learn in a simulation-based environment.
Learn more about RangeForce and our extensive set of hands-on cyber skills training modules.